Cyber Essentials +

Cyber Essentials +

Increasingly people are being made aware of the seriousness of cyber attacks. Malware and viruses, along with direct attacks have hit major corporations recently including the NHS. With the arrival of GDPR, and the necessity of protecting against data breaches it is vital that responsible steps are taken to protect against intrusion.

As part of our ongoing efforts in this area, Westwood Forster have just received certification for Cyber Essentials Plus. This is a UK government-backed industry supported scheme to help organisations protect themselves against common cyber attacks. In addition, since October 2014 Cyber Essentials has been mandatory for suppliers of Government contracts which involve handling personal information and providing some ICT products and services. This certification lays out requirements in key areas where cyber security is vital to protect the interests of both us and our clients; firewall configuration, device configuration, user access control, malware protection and patch management.

Gaining certification was not without problems and so we are sharing with you some of the issues we faced in this process that may help you to increase your own cyber security.

Early on in the process it became apparent that we had some legacy systems that could be vulnerable if attacked. Cyber security is about dealing with potential threats before they become a problem. Upgrading legacy systems took some time, and has alerted us to the fact that you must have a plan in place to keep operating systems and software up to date. If not, you will hit problems when these systems fall out of support by their suppliers. The next operating systems to go from Microsoft’s support lifecycle are Windows Server 2008 and 2008 R2, in 2020. Plans need to be in place now to migrate affected systems to a newer platform.

The other key area for us dealt with potential vulnerabilities on laptops and other connected devices. The assessment uses tools to scan the devices in your organisation and details any issues. Fixing these can be time consuming, and was a moving target. The lesson drawn from this was that these tools can be implemented within your organisation scanning on a regular basis so that potential vulnerabilities can be found and fixed as soon as they arise rather than being hit at the point of assessment.

Becoming certified does not mean the end of the journey, but the beginning of an ongoing process that will keep us prepared against attacks in the future, protecting our systems from potential data breaches as under the GDPR, and ensuring business continuity.

The best way to keep up to date with what is happening in this area is to follow us on Twitter @westwoodforster. We will be posting all these updates on Twitter as well as re-tweeting relevant information from the ICO and IOF. Please encourage others in your organisation to follow us as well.